Enabling RC4 in cipher suites for Aspera server product is NOT recommended

Title: Enabling RC4 in cipher suites for Aspera server product is NOT recommended

Flash (Alert)

Abstract

The Bar Mitzvah Attack exploits a previously known vulnerability in the RC4 component of the SSL/TLS communication protocols. This exploit allows the attacker to partially decrypt information sent between two computer systems across a network. This can be a serious security issue because RC4 reportedly protects as much as 30 percent of Internet SSL traffic; and decrypted material may include passwords, credit card numbers, browser cookies, etc.

For any of the Aspera client and mobile applications, the RC4 protocol is disabled by default. This can’t be changed. However, in some of our other applications, while RC4 is disabled by default, it can be enabled. This is a reminder NOT to enable RC4 cipher suites for the products listed below:

IBM Aspera Console Application

IBM Aspera Faspex Application

IBM Aspera Shares Application

IBM Aspera Orchestrator Application

Content

Aspera productsby default disable RC4 cipher suites. If you have installed any of the following applications, you should verify that you have not enabled the RC4 cipher suites: